What would be required to hack a satellite (in general terms, any hack really)? Are they all basically connected in the same way, or would I need different equipment, software, or otherwise. Are there different encryption algorithms in use? What communication protocols would I use? How should I pick one? What are the legal repercussions of doing so?

Generally, I'd like to find out how secure these computers flying above us really are, as not much is discussed about them in terms of security.

@Greg I'd have to be trolling pretty hard right now.
–
IncognitoAug 22 '11 at 20:14

2

What is the threshold for hijack? Would the ability to execute one or two non-invasive control functions during a specific limited time meet the threshold?
–
this.joshAug 23 '11 at 0:24

1

What type of satellite or can we pick any? Would an complete answer on a satellite with little to no security beat an incomplete answer on a more secure satellite?
–
this.joshAug 23 '11 at 0:25

3

The question is fairly open-ended, as the knowledge around this isn't wide spread and easily accessible. Ideally, the answer I'm looking for will discuss multiple environments that could be encountered rather than a specific target, as well as the types of attack that could be carried out on them. It's not a simple question, which is why I chose the highest bounty the site allows. I'm looking for a "more awesome answer".
–
IncognitoAug 23 '11 at 1:04

8 Answers
8

First, I learned a lot of my information from a combination of my amateur radio experience and an awesome talk I sat in at DEFCON 18. The majority of satellite systems are simple repeaters. The signal that comes in on a transponder is cleaned, amplified, and retransmitted. If you know the location and input frequency, and you pump more effective radiated power than anybody else, you win.

Many satellites also require command modules. These are used to interpret instructions to boost back into orbit or at the end of life, de-orbit into a "graveyard" pattern (or right into the atmosphere itself). Because most satellite systems are custom, it is a real crapshoot what you see for commands and security. I suspect that most command sequences are unencrypted and rely on the fact that a MITM attack on something in space is fairly hard.

Frequencies vary wildly from MHz to several tens of GHz. Your equipment needs to put out the right frequency through a dish that is the right size. Legally speaking, you will at a minimum foul the FCC or your national equivalent, by violating regulations on licensed broadcasting. Also, "birds" and airtime are expensive, so the civil liability if found can be bankrupting.

As far as taking a satellite transponder over is concerned, security relies on rarity of attacks, detection, and triangulation of the signal source. Then people come knocking on your door.

Finding a bird

First, you've got to have a target. Some satellites are geostationary, so they're easy. Other satellites have orbits that sending them in offset patterns around the world. The satellite will come into view at different elevations in the sky tracing different paths, so you'll need to know where it will be and how it will move in order to communicate.

Communications satellites tend to either be geostationary or part of a cluster of many satellites such that one or more is always in view of at least one ground station and any other point on the planet.

There are websites all over the place for this, and they often end up with military / disavowed satellites listed as people will track them with a telescope and then wonder why that one isn't listed yet.

Talking to a bird: Bands

Satellites operate on different frequencies, and the antenna used has to be sized to the frequency of the satellite. Most satellites operate in the microwave spectrum. The ubiquitous (in the United States) DirecTV / Dish Network antennas are usually on the higher end (smaller wavelength) of the spectrum. Because your signal has a lot of travel in its future and your target is small, your goal is to direct as much power in one direction as possible. Anything sent off to the sides, earth, etc. is wasted energy, so you will want an appropriately-sized high-gain antenna. Antenna design can be learned from amateur radio books on the topic.

Before someone chimes in and says, "You don't NEED a directional antenna and tracking motor," that's true... but it will help a hell of a lot. Just because your spot messenger or GPS doesn't have one doesn't mean you shouldn't use one if you can. It will keep your signal where you want it and limit the possibility of interference from or with other things using the same frequency. It also means that it will be harder for somebody to hunt you down. Being nicked just because you let strangers hear you might have some costs associated.

Talking to a bird: Protocol

Now we're getting a bit trickier. Some satellites are very simple, particularly amateur radio satellites. They receive a signal and they transmit that signal back. There are different variations of protocol, polarisation, modulation (QAM is a good one to understand), etc. If your target does more cleanup than just setting a noise floor and spitting things back out, you'll need to know that information as well.

Higher-level protocols may be standard IP/TCP, plaintext, encrypted, or some totally imaginary 17 bit codeword system that was dreamed up by a guy like Mel.

Taking over

You need to deliver more power to the right place with the appropriate protocol. Because almost every satellite is a custom design, that's challenging. If you goal is beyond simple re-broadcast, you're up against a big black box every time. Computers are small, low-power, and probably have next to nothing on them.

The best bet for MITM

If you can't afford to launch your own satellite, figure out where the ground station is and fly over it. Small aircraft are relatively cheap to rent (under $100 / hour to operate), tethered balloons may get high enough to have an effective angle, and if you're quite sneaky you can put something on the transmitter feed line itself.

Many smaller organizations rent their satellite time. I learned when I was 11 that the guy running the local news station's satellite truck is bored as hell when they're in between shots and will definitely show you all the cool things about his rig. Whatever he's renting is probably one of the easier things to get at because that has to be documented and relatively easy to work with.

What would be required to hack a satellite (in general terms, any hack really)?

When it comes to satellites, the word general does not apply. Almost every satellite, with very few exceptions is custom. Even the currently orbiting GPS satellites are not all the same: there are GPS IIA, GPS IIR, GPS IIR-M, and GPS IIF. I would venture that even satellites of the same type have minor variations. The only exception I would think would be the Iridium satellites. They may be highly similar because of the number launched at once, the short time beteen sucessive launches, and the lower value of each individual satellite.

Specific satellite or target of opportunity?

If you want to target a specific satellite you may need to travel to a location appropriate for interfacing with the satellite: either a location in the satellite's 'shadow' or to a command and control facility. Not all satellites have full earth coverage, so if a satellite you want to target does not fly over your location you will need to go where it does.

If you are looking for a target or opportunity then pick your location and find what satellites cover that spot. Realtime Satellite tracking is available from several websites like http://www.n2yo.com/.

Command and control center

One way to take control of a satellite is to take over the command and control center. All the equipment is set up and available. The command and control center vary in the level of security they provide, but a good guess is that CubeSat operation centers have poor security. http://csmarts.colorado.edu/for_operators/CGS-SYS-101.2BoulderGroundStation.pdf describes the equipment and configuration of a CubeSat operations station.

Direct communication

To communicate directly with the satellite you will need RF transmitting equipment with sufficient power and frequency range. To find the frequency range identify the type of satellite and look up what frequency range that type of satellite has allocated for Earth-to-space communication. http://www.ntia.doc.gov/files/ntia/publications/lrsp5c.htm is a good reference.

Are they all basically connected in the same way, or would I need different equipment, software, or otherwise.

No, with potentially some exceptions satellites are different even if they are of the same type. Suppose you launch a satellite which is going to be 1 of 6. You get it into orbit but when it achieves orbit you find that your uplink bandwidth is poorer than you expected. Likely before the launch of satellite 2 you will make some modifications. And when satellite 2 achieves orbit you find that it has difficulty when achieveing max transmit power in some frequency range. Depending on the time between sucessive launches each satellite will get tweaked. Oh, and then you can update their software. Satellites are no longer doomed to run the same software forever, the can be updated, and if a security vulnerability was discovered they could be 'patched'.

Once you identify the satellite you need to find its altitude. Most commercial, scientific, and educational satellites and their orbits are listed in NASA's NSSDC Master Catalog. However it may be more difficult to locate the frequency range the satellite uses to recieve commands from the ground. A good starting point is to look up the frequency spectrum allocated to the class of satellite.

The Earth-to-Space is the uplink to the satellite, so this is a good range to try.

Are there different encryption algorithms in use?

Likely. Remember that a significant number of those satellites are government owned (Russian, USA, France, Japan, China, India, Israel, Ukraine, Iran). I suspect most of those government satellites use encryption, and I couldn't even guess what encryption some countries would use.

What communication protocols would I use?

The protocol of the satellite you are targeting. One of the few well agreed to standards is frequency range. Then it depends on who launched the satellite and for what purpose.

What are the legal repercussions of doing so?

I'm not sure, I may get back to you on this one.

Generally, I'd like to find out how secure these computers flying above us really are, as not much is discussed about them in terms of security.

Given that not much is publicly discussed about satellites in general. The review of a satellite system depends on its value and cost. I don't think that there is any part of a satellite system that costs hundreds of millions of dollars ($US) or even billions of dollars ($US) that isn't well reviewed.

Yes to defcon talks being often good. This year there were less technical talks than I had hoped for.
–
hbdgafAug 22 '11 at 20:33

1

This should be a comment, because it doesn't even attempt to answer the question here, where you posted it as such. All the wrapping around the link you share is merely opinionated meta about it.
–
TildalWaveOct 7 '14 at 11:52

1

This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post.
–
SteveOct 7 '14 at 15:30

1

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
–
PolynomialOct 7 '14 at 16:11

In addition to the low-cost solutions presented in other answers, which rely on beaming signals at the satellites, there's the (significantly, like many orders of magnitude) more expensive technique borrowed from Ian Fleming's Moonraker of going up there and stealing the thing. You don't even really need to get it back, just pointing it in the wrong direction or giving it a nudge will be enough to deny service.

Satellites have basically no physical security, except that it's expensive to get to where they are. Once you've overcome the cost barrier, you can swap bits out, push them into the atmosphere or whatever. While this is probably beyond the means of most individual hackers and criminal organisations (the fictional SPECTRE notwithstanding), a government could probably do it to another government's satellite. The theory is that you put a space plane into a polar orbit that looks like some reconnaissance or scientific mission, but fit it with the capability to change orbit such that it can intercept your target bird. It might then photograph, nudge or ram the other satellite. You do it while both devices are "round the back" of the planet, hoping that the owner of the victim bird doesn't have good surveillance of that portion of space.

Another capability that the US has demonstrated is crashing into the target with a rocket using their SM-3 weapon. This is much cheaper than the above plan: you don't even need any explosives because satellites are so flimsy the initial impact will do all of the work. It's still likely more expensive than misusing the satellite's control communications; it's also hard to repudiate such an attack.

The physical security provided by being in orbit is more than just expensive. It requires the cooperation of several experts in orbital physics, special material engineering, a launch facility, fuel sufficient to achieve 320+ km orbit with a velocity of 7.8 km/s. A Control stations capable of sending and receiving RF communications to the intercept vehicle. If the intercept vehicle manages to match the target's orbit and speed, it still needs to remove the target's protective covering without significant damage, and attach electrical connectors to the target's circuitry.
–
this.joshAug 21 '11 at 6:05

2

@this.Josh that's "just" expensive, but also hard to repudiate. "What 220-ton rocket, officer?" Btw I wouldn't worry about your orbital physics expert, you can do it with high school maths.
–
user185Aug 21 '11 at 8:02

2

If you consider acquire the cooperation of the relevent experts an expense then yes, you are right. I am skeptical that modeling a satellite's orbital to allow a satellite intercept vehicle to match orbit and velocity at a distance of a few meters can be done with high school maths. Especially given the irregular shape of the Earth, the non-uniform distribution of mass of the Earth, the non-uniform distribution of atmosphereis density (for LEO), photon preassure due to solar radiation, gravitational pull of the Moon, gravitational pull of the Sun, etc. And yes there is no repudiation.
–
this.joshAug 21 '11 at 8:24

Another possibility is simply detonating one of your own satellites that is already up there like this: npr.org/templates/story/story.php?storyId=6923805 and hoping the space junk does something or even (and I don't think this is far off from now) HK satellites that run about knocking other satellites outside of escape velocity or into a terminal descent. Kind of related to your answer...
–
hbdgafAug 22 '11 at 20:29

First, of all, I'm not expert on hacking satellites, I don't know how to turn GPS repeater into Death Star.
What I find interesting is space exploration, travelling into space and so... Everything I'll write here is just something I read somewhere and it's all hypothetical.

Satelitte hacking (yeah, I know it's not quite the same as hijacking it) is something what is known for quite some time and it's very popular among narco cartels, but also among "ordinary" people to get in touch (I guess Skype is too lame for them).
Anyway, earlier this year, there was huge police raid in Brazil on so called "satellite pirates" who used US military satelites, FLTSAT-8 and UFOs (yep, UFOs do exist and they are in the service of Uncle Sam). How did they hacked the satellites?

To use the satellite, pirates typically take an ordinary ham radio transmitter, which operates in the 144- to 148-MHZ range, and add a frequency doubler cobbled from coils and a varactor diode. That lets the radio stretch into the lower end of FLTSATCOM's 292- to 317-MHz uplink range. All the gear can be bought near any truck stop for less than $500. Ads on specialized websites offer to perform the conversion for less than $100. Taught the ropes, even rough electricians can make Bolinha-ware.

I know this is little off-topic, but just to illustrate how hard is to get military bird - to hack a Predator (MITM attack to get video feed), you only need 30$ software (source, software is called SkyGrabber).

Another example of hacking satellite, this time non-military, is Galaxy 15 which in April of 2010 has gone rouge. In this case, satellite just stopped to respond to C&C (command and control) commands while his systems are 100% in function. Interesting thing here is that only counter-measure to this state is rebooting the system (they tried about 150k-200k to restart the satellite - source).

All in all, to hijack (or hack) satellite is not a sci-fi scenario. Don't get me wrong, it's not companies and goverment who are responsible for them are careless. C&C HQs and signals coming from them (which are encrypted) are not problem. The weak link are satellites themself. When you build satellite, you don't care about security (so to speak), but you care about MTTF (mean time to fail) and MTTR (mean time to repair). In the perfect case scenario, you want satellite who will work from day 1 to doomsday and beyond. If satellite is malfunction, cost of repair is very high and it can't be repaired immediately. There are also risks that it can crush to Earth or flow into deep space. In any case, if satellite is not working, you are loosing a lot of money, time and, possibly, reputation. And with this in mind satellites are build.

Also, keep in mind, satellites are nothing more then little bit overcloacked radios (so to tell) and every radio can be jammed. Only thing you need is just feed satellite with random signals and it will be jammed. This is well-known problem around amateur radio enthusiasts, who are jammed by more powered signals from professional users (like TV stations).
In one article I found, following is said about this problems.

Analysts said there are several ways satellite systems can be disrupted. With sufficient power from a satellite dish on the ground, an orbiting satellite's signal can be blocked.
"One way is simply brute force, by sending a signal up to a given satellite and jamming it," said Steve Blum, president of Tellus Venture Associates, a satellite consulting firm. "That's nothing new. That's as old as radio itself."
Experts said that occasionally happens by accident, but jamming a satellite is easy to trace and communications services, such as TV signals, are rarely disrupted as programmers and providers usually have backup capacity on other satellites.
The computer systems used to monitor and control the satellites also pose a potential weak link; although most are housed in secure facilities, in theory they could be infiltrated, Blum said.
But industry sources said many of the potential pitfalls are not unique to satellites. Smaller radio stations have been known to have their signals blocked by more powerful transmitters. And hackers could just as easily attempt to break into the computer systems of a cable operator in an attempt to shut down services to a certain neighborhood.

So basically, what you are doing here is jamming unlink and/or downlink (something like DoS attack). To do this, you only need your own antena.

Another attack which can be preformed is orbital positioning attack (source)
In this case you are feeding your target with false responses and satellite is "confused" and "lost" (he doesn't know his location).

What would be required to hack a satellite (in general terms, any hack
really)?

Just answering to 'any hack'. It is possible to use a satellite to get a completely anonymous connection to the Internet that is untraceable, because the IP address you are using is the IP address of the satellite. Tutorial here. Note: do not try this, it is totally illegal.

Would the satcom not keep a log of connections?
–
IncognitoAug 23 '11 at 12:53

It would, but it wouldn't be triangulating because it is a directed signal. Say you are in New York: as far as the satellite is concerned you could be in Iceland or Florida.
–
jonesAug 23 '11 at 13:56

1

You do realize that you are only getting downlink from the satellite, and packets you transmit need a Internet entry point. The document even says Of course our ISP must allow IP spoofing on page 14.
–
this.joshAug 24 '11 at 4:49

3

How is it not tracable if we have to use our own ISP for the uplink?
–
user606723Aug 24 '11 at 18:00

Britain's Ministry of Defense is denying that the nation's military satellites were hacked, but the reported disruption raises questions about the security of all satellite-based communications services.

...

Analysts said there are several ways satellite systems can be disrupted. With sufficient power from a satellite dish on the ground, an orbiting satellite's signal can be blocked.

"One way is simply brute force, by sending a signal up to a given satellite and jamming it," said Steve Blum, president of Tellus Venture Associates, a satellite consulting firm. "That's nothing new. That's as old as radio itself."

Do some research about it and you'll find interesting facts...

You can also begin looking at satellites' positions in the sky: http://www.n2yo.com/?s=26038 and verify some information about them. You'll find that some satellites have nuclear protection, for example.

@this.josh there's a video of that presentation as well out there.
–
IncognitoAug 24 '11 at 0:15

2

What do you mean with "nuclear protection"? Hardened electronics to thwart against EM shock of a nuclear blast? Isolation to protect against nuclear blast radiation? Because ALL satellites have such protection in place, and it's usually referred to as Radiation Hardening (many, many ways to achieve that tho, with various certifications, e.g. "rad hot", "rad tolerant", "rad hardened",...). This comes down to the fact that our Sun is one giant fusion reactor and the rest of the stars et al. emit wave and particle radiation too.
–
TildalWaveOct 7 '14 at 11:43

1

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
–
XanderOct 7 '14 at 13:07

This post is in draft

I'm getting a lot of one-liner answers to a question with 500 bounty, so I figure I'll try and raise the water-mark here for quality answers.

Post road-map:

Expand on past examples of hacks of satellites, work done

Find better information on satellite types, explain their usage, and function, as well as inferring potential risks.

Expand on the ecosystem of communications, and hardware

Expand on various protocols in use, analog or digital, etc.

What to look for in a target, what not to

Look deeper into legal issues, see if I can find any cases.

Suggested preventative measures future-looking and retroactively.

Bonus round??

What would be required to hack a satellite (in general terms, any hack really)?

What are your objectives? We could preform a MITM attack, we could preform a denial of service, blog the signals, exploit the actual satellite hardware, extract information, use it for our own purposes, attempt to destroy it, attempt to broadcast our own signals, or simply get free TV out of it (which is boring and well documented).

Satellites have been hacked since the very first launch of Sputnik. This involved eavesdropping with HAM radio sets, trying to listen in on the transmission. Of course, regulations soon came into place and it's interesting to see that the modern concept of TV via Satellite was born from hackers who enjoyed things but the regulators quickly attempted to crack down on. Eventually, we saw some forms of scramblers and other protection methds coming out, which turned into, of course, a fight back, and the C64 played a part in decrypting signals on-the-fly. The eavesdropping ended, and eventually hackers found openings in different satellites they could use to transmit their own TV signals off of. Other uses included use of military satellites to make international calls, or simply eavesdropping in on calls and faxes.

Types of satellites:

We need to take a look at what types of satellites are out there to understand the function of them, thus, what functions could be exploited.

Now you need to look into the design of them, which has changed qite a bit over the past few decades. Lets look at ones that are still kicking, either in junkyard or active, moving from oldest designs to newest designs...

Different encryption algorithms in use

Re-use of code is really a common theme in the 21st century, modern satellites will likely be running modern code with documentation and many qualified eyes reviewing security, while older models may have had cowboy coders bit-fiddling with assembly to save storage space, meaning they're designed to work in the constraints they were designed for, not to deal with malicious exceptions or any errors you can throw at them. The older models are much harder to find documentation in the public domain about.

What communication protocols to use

Everything from analog shortwave to FTP on the TCP/IP stack.

How should I pick one

What's active, what isn't, what's a high risk, what isn't, what's easy, what's hard, what rewards are behind some targets versus others, who might be interested in these targets.

What are the legal repercussions of doing so

You could use bureaucratic processes to your advantage: operate in multiple nations, such as, a comsat owned by A, over airspace B, from a receiver in C, and the operator is in D, with nationality E......

@this.josh There's actually channels where amateurs can play with this stuff legally. I've seen awesome setups where all you need is $1000 and a HAM licence, and they launch a small satellite in LEO which orbits for about 30 days before burning up. (They launch a few hundred of them at once)
–
IncognitoAug 25 '11 at 13:53

Amateur satellites existed since the 1960s. The early concept was to put amateur radio repeaters in space. Recently CubeSats have become popular. The specification and shared technology helped bring down the cost of designing and building amateur satellites. In 2007 the European Space Agency committed to launch educational CubeSats as additional payload on as many launches as possible. They are currently carrying 9 CubeSats per launch. Many satellites orbit for years; the oldest operating amateur satellite was launched in 1993.
–
this.joshAug 25 '11 at 17:07